When It Does, Businesses in Every US State Could Be Affected
Every week, the number of data breaches against businesses breaks record numbers. Not only is the number of breaches breaking records, but the quantity of victims in each breach has reached staggering numbers. Facebook breaches alone soar (50 million in one, 540 million in another, to name just two), with each of their data breaches violating from tens to hundreds of millions. Capital One recently had 106 million records hacked, and the now infamous Equifax breach impacted 143 million US households.
These records belong to real people and more and more Americans and consumers around the world receive notification week after week that their account information has been compromised, stolen, and hacked. It might be banking info, credit card data, health information, academic records, or personal information like birthdate, social security number, address and more. Many if not most Americans believe confidential information about them has already been hacked.
In 2018, Europe took strong action to fight back against these exposures by implementing the General Data Protection Regulation (GDPR). The GDPR is the strongest regulation supporting – and penalizing violations of - data privacy to date. In a few short months, California will join Europe with a new regulation of its own - the California Consumer Privacy Act (CCPA) - that will be the strictest yet in the United States. Other states may follow suit before long.
This new regulation is scheduled to go into effect January 1, 2020, with efforcement policies following July 1, 2020. It’s the most expansive and comprehensive act a US state has put in place in support of consumers and like the GDPR, gives them more control over their information and how it’s used. Even though the law is in California, its reach will be throughout the US and likely even global. Similar to the way the GDPR has impacted countries in Europe and around the world, any business that handles a European citizen’s information is liable under the GDPR – so too the CCPA will affect companies outside California.
Your business will be affected if:
-and-
The rising volume of data breaches demonstrates that consumer data is at risk and that it’s being poorly managed at large. The goal of these strict regulations is to give some control back to consumers. Once the CCPA is in effect, they will be able to be more involved in their own data management.
Consumers will have more rights in the following areas:
The identifiers referred to above include information such as real name, aliases, postal address, unique personal identifiers, online identifiers, IP addresses, email address, account names, social security number, driver’s license number, passport number, and so on.
Commercial information is part of this regulation as well, including personal property, products or services, and consumer histories and tendencies. Internet and online behavior, information about electronic network activity such as browsing and search histories, web site visits and online applications or interaction with advertisements are also included.
Going further into data that’s considered personal, the CCPA includes personal characteristics and behaviors in a variety of categories. These categories include Geolocation and profiling information regarding consumer preferences, psychological trends, behaviors, attitudes, abilities, intelligence and aptitudes. This data may also include household purchase data, family information (number of kids), financial information, sleep habits, and more.
The list of preparations may be long. Companies who have adequately prepared for the GDPR have a leg up. Many good guidelines are available for companies and the GDPR itself is a good guideline. Yet, similar to the months before the GDPR took effect, again, companies are slow to prepare. A 2018 PwC survey found that 64% of companies hadn’t begun to prepare for the regulations. Preparing for regulations like the CCPA can be fairly extensive and require considerable changes to existing systems and policies.
But prepared or not, compliance for all companies who meet the above criteria doing business in or with consumers in California is required by the January 1 deadline. Simply claiming ignorance or lack of understanding about your own companies' activities or related third parties' handling of personal information is not a shield. Companies are fully liable for the data they manage.
Getting into compliance involves many steps, including:
Assess your company’s current activities and status with regard to consumer data: It’s critical to identify current business policies and activities and determine if they could be in violation of the new law. Take steps to change those practices by January 1.
Ensure a good data collection, storage and management system: Because companies will be required to inform consumers when their data is being collected as well as provide a detailed report about that collected data when asked, it’s important to have a system that can support that requirement. These reports must be provided free of charge. The data needs to be stored per CCPA requirements and meet privacy requirements.
Provide clear communication: Companies must provide an easy-to-find online link on the appropriate Web page where consumers can specify they don’t want their information sold – ie, “Do Not Sell My Personal Information.”
Acquire qualified staff and educate them: Ensure staff is informed, trained and knowledgeable about the CCPA regulations.
Develop a reliable audit process: One of the requirements is being able to demonstrate conformance to auditors, vendors, data processors and others.
Implement a robust security system: This is not defined specifically in the CCPA but it is required in the GDPR and is imperative for ensuring data privacy.
Have a data breach response and notification plan: For example, the GDPR allows 72 hours for companies to notify the regulatory authority of a data breach. Not meeting this deadline results in a higher penalty.
Further Articles:
Prediction Series #8: GDPR Breach Disclosure Mandate Is Now Global & Must Be Timely
GDPR tough options: increase your security or increase your penalty budget
FTC Fines Equifax up to $700M for 2017 Data Breach
Along with $5B Fine, FTC Hands Down Privacy Controls for Facebook
https://virsec.com/along-with-5b-fine-ftc-hands-down-privacy-controls-for-facebook/
Sources:
https://digitalguardian.com/blog/what-california-data-privacy-protection-act
https://taginspector.com/articles/preparing-for-the-ccpa-5-steps-your-company-should-be-taking-now/